b2949819e839b39bee345ecbe32b86027ccfa37b453e206273f2d864d44c6114

Analysis

max time kernel
282s
max time network
284s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:09

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ShibaGT_Gold_Lite_v1.dll
Size

2.5MB
MD5

abde02f852d21be64f0accc8c969e115
SHA1

03226be3d6da163e1ebe9c86a5af730cd7ebc5ae
SHA256

b2949819e839b39bee345ecbe32b86027ccfa37b453e206273f2d864d44c6114
SHA512

3e6601e859acc4c3d3b5e4bd38b5a77844d02cf501c4cc6eca15a3b3f8b5f60714a655e67fd1e46ddd78dc77a27b5fcc3d09ec52d3dfda815471843f736b2ef8
SSDEEP

24576:YQm/6BdLyPzrcBtYewrKMAueyE5kZIZkZ:6kdFoe8IZkZ

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
1508	MEMZ.exe
2592	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
456	MEMZ.exe
4348	MEMZ.exe
3960	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
122	raw.githubusercontent.com
123	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "122"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578333913633526"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1140	chrome.exe
1140	chrome.exe
2592	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
4348	MEMZ.exe
2356	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
4348	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
4348	MEMZ.exe
2356	MEMZ.exe
4348	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	4348	MEMZ.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4492	LogonUI.exe
2356	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
456	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
456	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe
4348	MEMZ.exe
456	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
4348	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
2356	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
456	MEMZ.exe
2592	MEMZ.exe
4348	MEMZ.exe
4348	MEMZ.exe
2356	MEMZ.exe
5076	MEMZ.exe
5076	MEMZ.exe
2356	MEMZ.exe
456	MEMZ.exe
4348	MEMZ.exe
2592	MEMZ.exe
2592	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 4724	1140	chrome.exe	97
PID 1140 wrote to memory of 4724	1140	chrome.exe	97
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 4136	1140	chrome.exe	98
PID 1140 wrote to memory of 3108	1140	chrome.exe	99
PID 1140 wrote to memory of 3108	1140	chrome.exe	99
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100
PID 1140 wrote to memory of 4788	1140	chrome.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ShibaGT_Gold_Lite_v1.dll,#1
1⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1797ab58,0x7ffb1797ab68,0x7ffb1797ab78
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4516 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4088 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4416 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3280 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1828,i,1227465194191094351,1475171981487887557,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1508
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2356
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5076
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:456
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4348
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3960
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3960055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
70f8c3da665ab7a42b54ca0c896eed36

SHA1
b0176d1fc673fa7a75ab1188f11a5b65114138ae

SHA256
cc00d0d9b932e378937ccdbc136fb1df9f380efa4afd2aceba67f89b033399ae

SHA512
1e195461269db3b858049e3cf0a6e52df84f97ba05640656c9df2ba2ca3910ad42d8f9b2a188fc74f31c5fc943e40d057bc1d3476b2fe353fa8a45d80dcf4915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
812419ed21b66dbf55e5b254cd58c85b

SHA1
9e394e967985bef2b9d3b58c453bf4b3b099fcc8

SHA256
4f89b29ec5e1f7b247679f7557d3d44555aede78bf483b105a0d8002d6365186

SHA512
4baed682f28f6fba38c814908d4ebabe0b5fcd92e68d7f7f7efee33c1a8d859b0ff72646ee835252385e040efa9f5e30f51c6cd362426d2c0cf48055de08d3a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cda0914b609735b1fdde0dc3c76dd1a7

SHA1
33affe96b6401ef361af111e1a487ee14e900338

SHA256
416c8d4cfb7d6d333b97ecba0552ad6ab2bee12c831b287754c3863564344938

SHA512
fa97cb8c4dc49ee8c4eda043d508f47185db799d5d48b2d2f80b2d8a7dc4ef0a5987f5fad3d07d774ee806fe06f1bd86d615e40e277f83e7c06b1c959eb83ad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
52709398dfd6d5d04a9ab1646cf0c85a

SHA1
23e1d676c59789b3cd64d09f75ae14fd69f3a052

SHA256
8d6fdf1c505ab5059da339e7efa0514906532655ee618cfbd2a0668004786b3c

SHA512
7475a48549e91ff01d503d9ef0944b48ef4d81923d36f69a10286db2b935a0213709de1b61283ee52c498af7ed5e731c06ab3b74d9332be8e5f4ad05505b7106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
09ccfeb7007d6131385ca62414c64960

SHA1
a6a3d6ef647bf876ee40f11ae69535b3a58ad3f5

SHA256
177767b2de6af3b4f996ac45381cf0d6174d288886f82cfc5e9960a295786180

SHA512
86783961d3872d1f3a8c98af673b88176aef2cf2e0d7eea3073263316a9bc2008be294f93d5bc28f29f59bf8aa2ec673cdd3257cd7c87c04284fe26ed425b72f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
48724f5e5c06f1b490f4594fdd6424ea

SHA1
ff7bf6375d8d392e345f9b8b1fb2693c0b64ecbc

SHA256
e153818058dd087518718a25f8b00a8571d0ce10b79eba45ae7a949aa45989dc

SHA512
40a926d78b967b18cfb8ea7f3b3c062ca6f422b8b058209d506da4a267a5f7f92c287d0763d39223a5e6e7c0f5a427121c2fdaa97b3de51a533eb61bddf4e46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
fcae1fdf4a829bfb1b6b07cee896c35b

SHA1
551119357ce63a81cd02bf03540bab825c307dd6

SHA256
a2f2b91f92a8f4200ddd20efaac4bee5649758ae433a93e24b32dbd42e5f16f1

SHA512
584afae30c7cd58de797b9a413efe2dd9ef45e1fed138b7d9206d08063c76173ff2a7a0fb31d633843d374bf73a2642755ce9c9c6bffddd439e17d9ad2244411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
29e43b5abcd0bab31fd8415ac40738bd

SHA1
173741ed757cac810894fdd1e9f21d0be31f1c43

SHA256
ac8d5a89927cb7311ae8a2c1b740e3a3e2719f7200c8d7589ec18ecd93f8a1e1

SHA512
74000fdbacac5c6c262b0373c5c3616d5b5d503d90afc0965c98caaa2abb77f3b9cc80d67777f74243cca752793cf935d0d5b25e7d85c6d81780948431c40287

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads